Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP) Systems in accordance with (IAW) C.1.8.7

Transcription

1 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP) Systems in accordance with (IAW) C November 4, 2016 Prepared by CenturyLink Government Services, Inc North Fairfax Drive Arlington, VA SFA# /NSP# i RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

2 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan REVISION HISTORY Revision Number Revision Date Revision Description Revised by SFA# /NSP# ii RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

3 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan TABLE OF CONTENTS EIS Risk Management Framework Plan (RMFP) Overview... 1 Purpose... 2 Related Plans... 3 Tier 1 Organization: CenturyLink... 4 Tier 2 Mission/Business Process: CenturyLink Risk Management for EIS... 6 Tier 3 Information Systems... 8 Information System RMFP Development Process LIST OF FIGURES Figure 1. Enterprise Security Risk Management Program... 3 Figure 2. Risk Management Framework Plan Steps LIST OF TABLES Table 1. EIS Products and Services SFA# /NSP# iii RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

4 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan EIS RISK MANAGEMENT FRAMEWORK PLAN (RMFP) OVERVIEW CenturyLink follows industry-leading information security standards and best practices to ensure the integrity of our services and confidentiality of customer and company information. Comprehensive security policies and standards guide these practices which include extensive controls in the areas of personnel, systems, and facility security. CenturyLink maintains a hierarchy of information security-related policies and standards, using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800 series as guidance. Authority for these policies is founded in the CenturyLink code of conduct (available on the public Internet under our corporate governance page), and corporate ethics and compliance program, as authorized by the CenturyLink Board of Directors. CenturyLink implements industry standard security to ensure data assurance, integrity, and confidentiality of customer and company information in support of our telecommunications services. These practices include implementing controls in the areas of personnel, systems, and facility security. CenturyLink has also implemented comprehensive Business Continuity and Disaster Recovery (BC/DR) measures and controls to ensure the availability of customer and corporate networks. To ensure that the security architecture stays current with best practices, CenturyLink takes a lead role in developing standards, working with vendors, and implementing innovative approaches to improve our products, including security services. In support of the General Services Administration (GSA) Networx Universal and Enterprise contracts, CenturyLink has delivered system security plans and obtained Department of Homeland Security (DHS) Cybersecurity Compliance Validation (CCV) and Trusted Internet Connections (TIC) Compliance Validation (TCV) for the Managed Trusted Internet Protocol Service (MTIPS) TIC Networx accreditation, annually, since CenturyLink will continue to maintain the systems security plans and accreditations with the DHS and GSA under Enterprise Infrastructure Solutions (EIS). CenturyLink operates and maintains several government-accredited facilities throughout the U.S. These facilities are capable of processing and storing information at the top SFA# /NSP# RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

5 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan secret/sensitive compartmented information (TS/SCI) security level. The facilities support various government contracts, which include the DHS EINSTEIN 3 Accelerated (E 3 A) program, and have a long history of commendable security compliance assessments. This effectively demonstrates CenturyLink s knowledge and ability to apply the risk management framework. Building a foundation on the CenturyLink processes and controls we have previously used to reduce risk in information systems, we have developed a risk management framework plan (RMFP) that consolidates our practices, standards, framework, and processes across the system lifecycle. PURPOSE This CenturyLink RMFP addresses EIS requirements for security compliance in accordance with the risk management framework and NIST SP (Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, issued February 2010), as defined in Request for Proposal (RFP) Section C.1.8.7, System Security Requirements. Our plan focuses on the processes and practices we will use to ensure security compliance for the services provided under EIS. We will implement our multi-tiered enterprise security program to achieve compliance, as detailed in the CenturyLink Security Risk Management Program depicted in Figure 1 below. There are a number of goals for CenturyLink s RMFP: Document the three-tiered approach for risk management to address risk-related concerns at each level of the hierarchy: The organization level addresses risk from an organizational perspective with the development of a comprehensive governance structure and organization-wide risk management strategy The mission and business process level defines and prioritizes the core missions and business processes for the organization and defines the types of information processed SFA# /NSP# RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

6 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan The information system level determines the definition of a boundary and ultimately selects and applies appropriate safeguards and countermeasures Define the required six (6) risk management framework steps at the information system level: Categorize, Select, Implement, Assess, Authorize, Monitor Provide a process for creating information system risk management framework plans on a task order (TO) basis as demonstrated with the Business Support Systems (BSS) and MTIPS RMFPs CenturyLink will maintain and periodically update this plan with the benefit that revisions to this plan will be at no cost to the government. RELATED PLANS below: The following risk plans will also be developed and provided as indicated in the chart Plan RFP Reference Relationship to this Plan Draft Supply Chain Risk Management Plan G.6.3 Documents procedures for handling supply chain and thirdparty risk within the overall EIS risk framework Draft BSS Risk Management Framework Plan G Information system-specific risk plan for the BSS Draft MTIPS Risk Management Framework Plan C Information system-specific risk plan for MTIPS Figure 1. Enterprise Security Risk Management Program SFA# /NSP# RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

7

8 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan Information security-related functions are performed in collaboration with CenturyLink s operations organizations, as follows: Corporate Security/information security (InfoSec): Provides end-to-end governance and policymaking; maintains comprehensive processes for measuring InfoSec risk and managing those risks within acceptable levels through clear policy-setting, assessments, and compliance management. Business continuity planning: Provides planning efforts, including facilitating the development, testing, and training of BC/DR plans to ensure that CenturyLink and our customers are prepared to effectively manage disaster situations. Risk assessment: Maintains a risk inventory to highlight the risk and potential exposure status for key infrastructure elements, including extensive monitoring and analysis of numerous sources for newly published vulnerabilities. Monitors compliance with CenturyLink policies and standards using key industry and international standards as guidance. CenturyLink conducts ongoing risk assessments of individual systems and network elements. Vulnerability management: CenturyLink has a number of threat intelligence feeds that provide vulnerability notifications. Threats are evaluated, and threat information, including vulnerability information, is distributed to appropriate operations teams through multiple methods. Strategic security planning with hardware and software suppliers: Reveals risk dependencies between systems and risk pinch points. Establishes strong relationships for vulnerability notification and remediation. Building compliance-based security into CenturyLink networks: Records and tracks risk remediation activity. Collects and collates data about incidents affecting information systems, highlighting root causes and business impact with appropriate follow-up. Operations/corporate infrastructure and systems sphere: Operational teams focus on information technology (IT) areas including internal CenturyLink computing and network components. SFA# /NSP# RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

9

10

11 Enterprise Infrastructure Solutions Volume 1 Technical Volume EIS Risk Management Framework Plan Information and Information Systems to Security Categories. The overall system categorizations are derived from the different information system types. The following security categorizations are applied to specific EIS information systems that have an established, identified, and agreed-to information system boundary with the GSA, and where GSA personnel have performed the FIPS 199 security category. EIS BSS Gateway EIS MTIPS EIS FedRAMP Services FIPS 199 Moderate Impact FIPS 199 High Impact FIPS 199 Moderate Impact RFP Section C specifies the minimum FIPS 199 security category as FIPS 199 moderate impact level due to the data that will be processed and held within the CenturyLink-provided EIS services and resultant solutions and systems. More restrictive or higher impact levels can be stated within awarded TOs. TIER 3 INFORMATION SYSTEMS Information systems that initiate their lifecycles under the EIS program will inherit policies, processes, and technical control implementations from Tier 1 as appropriate. Each will comply with Tier 2 security directives; inherit control implementations, monitoring and tailoring from Tier 2 as appropriate; and address additional cybersecurity requirements and specific control tailoring directives in accordance with the agency policy and requirements that are issued within the TO under EIS. At this tier, all six steps of the risk management framework must be addressed across the system lifecycle and documented in a system-specific risk plan using the CenturyLink EIS RMFP process provided in Figure 2 below as applicable per the agency TO. SFA# /NSP# RFP No.: QTA0015THA3003 Company Proprietary Data contained on this page is subject to the restrictions on the title page of this proposal. November 4, 2016

12

13

14

15

16

17

18

19